Re: Puppet Bootstrapping

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2006-09-26 at 16:18 +0100, Mark McLoughlin wrote:
> Hi David,
> 
> On Tue, 2006-09-05 at 15:32 -0700, David Lutterkort wrote:
> > On Wed, 2006-08-30 at 14:18 +0100, Mark McLoughlin wrote:
> > > 	A cert certifies that if a client can prove that it has access to the
> > > associated private key, then you can trust that it is the host named in
> > > the SubjectName.
> > > 
> > > 	What happens on networks where clients aren't necessarily assigned
> > > hostnames?
> > 
> > Puppet doesn't really require that the hostname in the cert corresponds
> > to anything in DNS or the like. I've successfully used puppet from
> > client A with client B's cert, and the server does act as if client B
> > had connected.
> > 
> > It would be wise in general to have cert subject == DNS name, but it's
> > not essential. Anything besides the hostname for a client is taken from
> > 'facts' that the client sends to the server, including IP address.
> > 
> > For security purposes, the important point is that the puppet manifest
> > identifies clients by the hostname and not by some other attribute, like
> > IP, which is easy to spoof for the client.
> 
> 	This all sounds truly bizarre to me.

Maybe my explanation was a little obtuse.

> 	What does an X.509 certificate actually do? A while back my best shot
> at summarising it as:
> 
>     "A public key certificate gives you confidence that the associated
>     private key is owned by subject named in the certificate."

That's right on.

> 	If puppet is ignoring the SubjectName in a certificate, what exactly
> *is* puppet using the certificate for?

What I was trying to say is exactly the opposite: puppet uses the
SubjectName to identify the client, and takes that as the client's
hostname, no matter what the client or the DNS server think its hostname
is. As far as puppet is concerned client's hostname == SubjectName in
the cert. In other words: if you have the private key that goes with the
cert, then you are the client given in the cert's subject.

David



[Index of Archives]     [Kernel Newbies]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Linux Media]     [Device Mapper]

  Powered by Linux